ganis eurocontrol cyber threat v2 [read-only] · cyber-security especially in aviation is not a...
TRANSCRIPT
Cyber-security
Patrick MANA
Cyber-security Project Manager
GANIS/SANIS, ICAO HQ, Montreal, 11-15 December 2017
Sharing cyber-info
� ICAO 39th Assembly calls upon States and industry stakeholders to take the following actions to
counter cyber threats to civil aviation:
� a. encourage Government/industry coordination with regard to aviation cyber-security strategies, policies, and plans, as well as sharing of information to help identify critical vulnerabilities that needs to be addressed;
� b. develop and participate in Government/industry partnerships and mechanisms, nationally and
internationally, for the systematic sharing of information on cyber threats, incidents, trends and mitigation efforts;
� c. establish policies and allocate resources when needed to ensure that, for critical aviation systems: system
architectures are secure by design; systems are resilient; methods for data transfer are secured, ensuring integrity and confidentiality of data; system monitoring, and incident detection and reporting, methods are implemented; and forensic analysis of cyber incidents is carried out.
EUROCONTROL 2
EUROCONTROL 3
enter your presentation title 4
What is happening out there ?
� Is ATM attacked today ?
� We don’t really know: we are rather blind due
to very limited monitor/detection means
� Yes … though not always specifically focused
� “Limited” impact
EUROCONTROL 5
Attacks?
=>
� Will ATM be attacked tomorrow?
� Yes, it will happen for sure … so we have to be
ready even => Monitor/protection means in place
� More open architecture: Mix of legacy + New
architecture (e.g. SWIM) ... But may be need to isolate some key assets
� New attackers
Risk-based approach
… but “Likelihood” is challenging
6
Likelihood
Impact
TOLERABLE =
Compliant with
regulationsACCEPTABLE
Risk
UNACCEPTABLE
How to protect your operations ?
� Set a policy and its associated framework
� Identify primary assets (“crown jewels”)
� Define priorities (risk classification)
� Protect assets according to risk and develop resilience
� People: training, education, mindset
� Procedure:
� E.g. resume operations AND save artefacts/evidence
� Maintenance … supply chain
� Multiple changes
� Equipment: legacy not designed with built-in security
� ISMS & Cyber Management system
� Cyber-monitoring: Don’t start with technology, think operations
=> Deploy means to monitor/detect/prevent/protect
including Security Operations Center
� 1€ of a cyber-attack => 30 to 40 € to protect your operations
EUROCONTROL 7
Cyber-resilience : a change of culture
EUROCONTROL 8
Procedure Equipment
People
Non-ATM systems
EUROCONTROL/EATM-CERT 9
BMS
HVAC
Power Supply
Resilience so far mainly designed for safety …now also for security
10
� e.g. I have firewall(s) thus my “internal” network/machines is/are protected
� Do you use X.509 digital certificates for SWIM & non-SWIM , for external and internal exchanges of information ?
� e.g. I have an Anti-Virus thus my “internal” network/machines is/are protected
� Is it updated with latest CVE?
� Can anyhow viruses go through? Yes �
Reconcile safety and safety
11e.g. a zero-day ~ months to many years
CYBER-SECURITY ESPECIALLY IN AVIATION IS NOT
A NATIONAL ONLY ISSUE
LET’S SHARE CYBER-INFO FOR REAL Lesson learned from Wannacry and Not/Petya: need for more cross-national sharing/coordination
Sharing data, knowledge, cyber-intelligence => Need for regional and sectorial CERT, ISAC
� Reduce our cost to protect ourselves
� Increase cost on “bad guys” side
An objective could be: Let’s make a type of cyber-attack working max once.
Exchange of cyber-info can be achieved with simple existing technology/standards:
- Basic: Encrypted e-mail, restricted access portal, …
- Enhanced: MISP, STIX/TAXII, …
… And TRUST
EUROCONTROL 12
TWO EXAMPLES:- REGIONAL SECTORIAL CERT
- REGIONAL BRIDGE FOR DIGITAL CERTIFICATES
EUROCONTROL 13
Need for regional sectorial (ATM) CERT:combine cyber and domain expertise
EUROCONTROL 14
ATM Stakeholder
SOC (1)
ATM Stakeholder
SOC (1)ATM Stakeholder
ATM Stakeholder(1)
ATM Stakeholder
Alerts/other Incidents
- intelligence/services
EATM-CERT
EUROCONTROL SOCs
Logs Recommendations
CERT-EU
EUROPOL
ENISA
System
NATO/EDA
EASA (ECCSA)
Cyber
intelligence
Provider
Alerts/
Incidents
Cyber
intelligence
Provider
Cyber
intelligence
Provider
Cyber
Intelligence
Intelligence
/services
ATM CI Provider (US & other Regions
ATM CERT)
Thematic CERTs
National CERTs
EA-ISAC
SOC
SOC
SOC
National CERTsNational CERTs
Alerts/Incidents
- intelligence
Significant Incidents
- intelligence
EUROCONTROL
ATM
ManufacturerATM
ManufacturerATM
Manufacturer
ATM StakeholderATM Stakeholder
CERT and SOC are complementary services
Strategic
Tactical
Operational
CERT
SOC
ANSPs
AOs
CERT services: Share info to prevent incidents and coordinates response to incidentsFederate multiple systems/services and their SOC(s)
• Proactive services : analysis of information to generate ATM and Stakeholder relevant information• Discover vulnerabilities and propose fix before exploited (design review, penetration testing, red teaming, …)• Inform about hackers Tactics, Techniques and Procedures to protect systems/services before being hit• Inform about Indicators of Compromises (malware, IP @, URL) to protect systems/services before being hit
• Reactive services:• Support to incident reaction/remediation, coordination amongst various entities being hit• Hunting/post analysis in case of incidents• Forensic investigation
SOC services: (H24) monitoring of systems/services activities to detect abnormal situations• Analyse abnormal situations detected by SIEM (Security Information and Event Management) tool
• Filter false positive alerts (e.g. within 45’)• Analyse true alerts/incidents and propose remediation actions (e.g. within 1 or 24 hours)• Improvement of abnormal situation detection criteria/threshold (“correlation rules”) using CERT info• Update SIEM with info provided by CERT
• Decide if CERT or SOC recommendations have to be implemented and implement them• Update Security Controls (firewalls, AV, IDS, ..) and systems/applications using CERT info
• Manage cyber incidents with CERT and/or SOC support• Post incident analysis with CERT support
EUROCONTROL
Alert/Incident reporting and response:
Necessary cooperation National CERT and regional sectorial CERT
EUROCONTROL 16
Incidents of significant importance
Other Incidents
Alerts
• To National CERT (mandatory as per NIS Directive)
• To EATM-CERT (if national law permits e.g. legal case)
• To National CERT(not mandatory in NIS Directive and dependent upon
National CERT capabilities)
• To EATM-CERT
• To EATM-CERT
On a voluntary basis
Mandatory
enter your presentation title 17
SWIM COMMON PKI AND POLICIES &
PROCEDURES FOR ESTABLISHING A TRUST
FRAMEWORK
EUROCONTROL 18
Projects
� “SDM - SWIM Common PKI and policies & procedures for establishing a Trust framework”
� INEA call 2017
� Kick-off: 29/11/2017
� Decision: Mid 2018
� Common approach with FAA of Common Bridge/Trust Anchor
Digital certificates 19
Cross-certification (1/2):
What collaboration WITHOUT a cross-certification bridge looks like
Digital certificates 20
CA1
CA4CA
2
CA5
CA3
Cross-certification (2/2):
What collaboration WITH a cross-certification bridge looks like
Digital certificates 21
Common Bridge (Trust Anchor)
CA1
CA4
CA2
CA5
CA3
SWIM Common PKI (Family 5.1.4)
Digital certificates 22
Common Bridge& Root Certification Authority
Issuing CA-2(e.g. Safety Critical)
Local RA
Local ApplicationsLocal Applications
Local ApplicationsLocal ApplicationsLocal
Applications/users/systems
Local RALocal RA
Local RALocal CA
Local ApplicationsLocal Applications
Local ApplicationsApplications/users/systems
Other Bridges/CAs (e.g. FAA, ICAO in the future)
EUROCONTROL
Subscribers:
States/
Stakeholders
Issuing CA-1(e.g. Non Safety Critical,
Special Case)
Issuing CA-3(e.g. Reserve
(Safety Critical))RA
Local RA
PMA: Policy Management Authority
RA: Registration Authority
PMA
Other
Users/
apps/systems
SWIMGovernance
Root signing
Issuing
CA-X…
World wide PKI – ICAO trust bridge hierarchy … The dream
EUROCONTROL/FAA 24
World wide PKI - Regional CA's with Cross-certification …
The reality to start with !
EUROCONTROL/FAA 25
TRUST
� Establishing Global “Trust” in the user and system identities, exchanging digital data, is a
fundamental requirement to enable a Cyber Security solution
� ICAO to play a role in defining policy, governance and trust framework
EUROCONTROL 26
Specific objectives through the Cybersecurity Trust Framework
SPECIFICATIONS DEVELOPMENT. Develops common specifications for secure
collaboration and information exchange through federation across the aviation community.
Establish common methods and solutions that align and enable global interoperability. The
specifications fall into these categories:
• Secure information exchange
• Identity credentials/digital identities and attributes
• Federated identity
• Information assurance
GLOBAL GOVERNANCE. Establishes policy and governance for the aviation
community .
• Interoperable Identity Federation Trust Framework
• Common Operating Rules
• Legal Framework & Allocation of Liabilities
• Accreditation & Trustmark
COMMON BRIDGE. Hosts a Common Bridge for Aviation only Membership that
enables secure collaboration between all aviation Stakeholders.
EUROCONTROL